Creating storage in Azure that integrates with your “on-premise” Active Directory is a pain. We want machines hosted in Azure to be able to access Azure Files like it is just another share on the network without adding additional credentials at access. Just like it would on an on-premise domain machine.
This requires doing some work via the GUI, and some work via PowerShell, or doing the whole step through PowerShell with lots of different modules. I created the below PowerShell script to help automate this process.
This script will allow you to pre-populate the necessary variables at the beginning and then it should download all the necessary modules and components to create the shares with permissions. There is a huge possibility that this script will crash out on you, if it does it usually is when the PowerShellGet or AZFilesHybrid executes. If it does, just do those portions manually and comment out those necessary lines. I tried to call out Line Numbers, but if I don’t hit them exactly look around those areas and the comments should lead you where you need to go.
Once this is all setup you can then create additional shares from the GUI itself and all these pre-set changes will cascade down.
To access this share grab the URL from the properties of the share in the Azure Portal. Replace the / with \ and replace the https:// with \\.
You can download the link file at the bottom of this page to access the script.
# Define parameters, $StorageAccountName currently has a maximum limit of 15 characters
# If you wish to use existing Resource Group or Storage Account comment out the section near Line 50 and Line 54
# Make sure to run this script on a machine joined to the target domain
$SubscriptionId = "<Subscription ID>"
$ResourceGroupName = "<Resource Group>"
$StorageAccountName = "<Storage Account Name>"
$DomainAccountType = "ComputerAccount"
$OuDistinguishedName = "<Distinguished Name of OU to place AZ machine account>"
# Specify the encryption agorithm used for Kerberos authentication. Default is configured as "'RC4','AES256'" which supports both 'RC4' and 'AES256' encryption.
$EncryptionType = "<AES256|RC4|AES256,RC4>"
$AZLocation = "<Azure Zone>"
$shareName = "<fileshare name - must be lowercase letters and numbers only, no spaces or extended characters>"
# Begin code execution
# Change the execution policy to unblock importing AzFilesHybrid.psm1 module
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
# Install latest PowerShellGet module (may require a restart of powershell)
Install-Module -Name PowerShellGet -Force
#Install Azure Powershell modules
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
#Download AZFilesHybrid
wget https://github.com/Azure-Samples/azure-files-samples/releases/download/v0.2.4/AzFilesHybrid.zip -outfile azfileshybrid.zip
#Unzip files
Expand-Archive .\azfileshybrid.zip
# Navigate to where AzFilesHybrid is unzipped and stored and run to copy the files into your path
# If this fails out on you, just run the CopyToPSPath.ps1 manually then comment out lines 27-35
cd .\azfileshybrid\AzFilesHybrid\
.\CopyToPSPath.ps1
# Import AzFilesHybrid module
Import-Module -Name AzFilesHybrid
# Login with an Azure AD credential that has either storage account owner or contributer Azure role assignment
# If you are logging into an Azure environment other than Public (ex. AzureUSGovernment) you will need to specify that.
# See https://docs.microsoft.com/azure/azure-government/documentation-government-get-started-connect-with-ps
# for more information.
Connect-AzAccount
# Select the target subscription for the current session
Select-AzSubscription -SubscriptionId $SubscriptionId
# Create the Resource Group for your Storage Location. Comment this out if you are using an existing resource group
New-AZResourceGroup -Name $ResourceGroupName -Location $AZLocation
# Create Storage account in the new Resource Group. Comment this out if you are using an existing Storage account.
New-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -SkuName Premium_LRS -Location $AZLocation -Kind FileStorage -EnableLargeFileShare
# If this is a test environment and you wish to use less expensive SSD storage, comment out the above line and uncomment out the item below.
#New-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -SkuName Standard_LRS -Location $AZLocation -Kind StorageV2 -AllowBlobPublicAccess $false -AllowSharedKeyAccess $false
# Register the target storage account with your active directory environment under the target OU (for example: specify the OU with Name as "UserAccounts" or DistinguishedName as "OU=UserAccounts,DC=CONTOSO,DC=COM").
# You can use to this PowerShell cmdlet: Get-ADOrganizationalUnit to find the Name and DistinguishedName of your target OU. If you are using the OU Name, specify it with -OrganizationalUnitName as shown below. If you are using the OU DistinguishedName, you can set it with -OrganizationalUnitDistinguishedName. You can choose to provide one of the two names to specify the target OU.
# You can choose to create the identity that represents the storage account as either a Service Logon Account or Computer Account (default parameter value), depends on the AD permission you have and preference.
# Run Get-Help Join-AzStorageAccountForAuth for more details on this cmdlet.
Join-AzStorageAccountForAuth -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -DomainAccountType $DomainAccountType -OrganizationalUnitDistinguishedName $OuDistinguishedName -EncryptionType $EncryptionType -OverwriteExistingADObject
#Run the command below if you want to enable AES 256 authentication. If you plan to use RC4, you can skip this step.
Update-AzStorageAccountAuthForAES256 -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName
# Set the default permission of your choice
$defaultPermission = "StorageFileDataSmbShareContributor"
$account = Set-AzStorageAccount -ResourceGroupName $ResourceGroupName -AccountName $StorageAccountName -DefaultSharePermission $defaultPermission
$account.AzureFilesIdentityBasedAuth
# Create the file share in the Storage Account
New-AzRmStorageShare -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -Name $shareName -AccessTier TransactionOptimized
#You can run the Debug-AzStorageAccountAuth cmdlet to conduct a set of basic checks on your AD configuration with the logged on AD user. This cmdlet is supported on AzFilesHybrid v0.1.2+ version. For more details on the checks performed in this cmdlet, see Azure Files Windows troubleshooting guide.
Debug-AzStorageAccountAuth -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName -Verbose